Rainy Days via rsync wrote: > Hi, > > My company have been using rsync to sync our file to a backup server (running > rsync daemon), and now we would like to store them encrypted. > I found some thread that discussed this issue but they are pretty old (about > 10 years ago). So I send this question again and looking for any new approach. > Is there any option or module for rsync to encrypt file on the destination? > > Thanks a lot, > Dat Le
Hi, If the destination is Linux, you could maybe use ecryptfs to encrypt a section of the file system. Everything would still appear decrypted as long as the ecryptfs file system is mounted. But if you wanted it to look encrypted, then maybe you could mount it, rsync, then unmount it. Then it would at least appear encrypted most of the time (when rsync is not actively in use). But this sounds dumb. For rsync to do this automatically, it would need to be able to automatically decrypt files in memory at the destination in order to compare them to the source version which means having access to the decryption key at the destination. An option to run a process at the other end to filter each file for comparison would be needed. That would slow things down. Another option is to have full disk encryption at the destination. I know that this (and ecryptfs) still make unencrypted files accessible while the host is running, and so may not satisfy the needs of your threat model, but it does seem to satisfy the encryption-at-rest requirements of some governments for some purposes. Another approach (assuming Linux and ecryptfs), is to use ecryptfs at the source to store everything encrypted, use a mountpoint for the ecryptfs file system that isn't the same as the underlying directory so that the encrypted versions of the files are accessible (which they wouldn't be if the ecryptfs file system were mounted over the top of the underlying directory), and just rsync the underlying encrypted directory rather than the overlaid ecryptfs file system (where everything looks decrypted). This approach doesn't require any changes to rsync and it doesn't require the ability to decrypt the files on the destination host. But it does require Linux and ecryptfs at both the source and the destination. cheers, raf -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html